Travelling with Sensitive Information

Today we are going to discuss best practices for traveling with sensitive information. In particular, crossing borders and some helpful tips when crossing into certain types of countries.

Threat and Risk Assessment

So you are carrying sensitive data with you on a journey. Great.

What are you worried about?

Whom are you worried about?

What are the risks if your data is discovered?

If it is financial data, do you really care if a border guard glances through it? While an invasion of your privacy, the border guard is unlikely to save the information and use it for anything. The same goes for data that implicates you in tax evasion or money laundering. Most border guards are trained at finding drugs or signs of involvement in terrorism. Financial crime is not within the scope of most border guard training.

Physical Data

If you need to cross a border with sensitive documents, one of my preferred methods of transportation is to simply not carry the documents on me. I courier the documentation to a trusted person in the country. Many hotels will accept courier letters or registered post if you make arrangements in advance.

However, sometimes you have no choice but to carry the documents yourself. You then have to choose between putting the documents with your check-in luggage, your carry-on luggage, or on your person. Hiding the important documents among less important documents will work if the border control is sloppy.

Brief cases with hidden compartments may work if they are hidden extremely well.

Most importantly when travelling with highly sensitive physical data: look and be average.

If you think airport security stops and ends when they scan your carry-on luggage, think again. The best example may be the Tel Aviv airport, Ben Gurion, where security begins the second you enter the airport premises and end when your airplane is off Israeli airspace. A pioneer in airport security, Ben Gurion airport uses automatic (and manual) behavioural recognition from when you enter the airport parking. Any strange behaviour will be monitored.

Digital Data

If you can: Don’t. It’s so easy not to.

Instead of travelling with sensitive data on your laptop, phone, pad or other device, upload the files to a secure server (encrypted, of course) and download once you reach your destination. Upload and download using a VPN or proxy. (See my previous post titled Staying Anonymous Online for more information on the matter.)

If you however have to travel with the data on disk — whether it’s because the files are too large, you’re travelling to a place with no or limited internet — you have a few options to consider.

Using for example TrueCrypt, you can encrypt your system harddisk (full-disk encryption). A password will be required every time you start your computer. In some countries you may be compelled to disclose the password. According to a Wikipedia article on key disclosure law, these countries include Australia, Belgium, Canada, Finland, France, India, Poland, The Netherlands, and United Kingdom. The situation in the USA is a bit diluted. As a non-citizen entering the US, expect to be sent back whence you came (possibly after a night or two in detention) if you refuse.

Deniable Encryption

Some encryption software, such as the aforementioned TrueCrypt, supports creating deniable encryption. The effectiveness of this is debatable, at best. Perfect deniable encryption is a solution whereby you can deny that your data is encrypted and there is no way for an opponent to find any proof otherwise.

To explain how TrueCrypt does this, we must first understand what full-disk encryption is. You may be familiar with encrypting files, whereby a password is required to open it. WinRAR and 7zip are examples of two commonly used software which support encryption by password protection. When you compress a file using WinRAR, the files within the archive are compressed and then encrypted using an encryption algorithm called AES, which stands for American Encryption Standard. Head over to Wikipedia if you want to learn more. Just a heads up: It gets very technical.

To open your compressed and encrypted WinRAR file, a password is required. When you enter this password, the data is unlocked and the files can be decompressed.

Full-disk encryption is very similar, but instead of just one or a few files, your entire hard disk is encrypted (but not compressed, of course). TrueCrypt tries to create a deniable encryption by letting you split your hard disk into two parts: one hidden and one not hidden partition. Each partition has its own password.

The theoretical real-life example would be that you enter a country and the border guards demand that you decrypt your laptop for them. Fine. You give them password to the not hidden partition. This is where you store all non-sensitive information, such as your vacation photos, games, inconspicuous software, and unassuming email between you and your wife and secret admirers. The border guard will look through this and find that you are indeed just a regular person with perfectly normal browse search history.

When you get to your hotel, you boot up your computer and provide the password to the hidden partition.

The problem is that border guards are increasingly not stupid. For now, this may work, but there is an increasing number of ways to detect hidden devices. One way is by size of the partition. If your hard disk has 500 GB of storage but the partition is only 400 GB, you might get asked what happened to the other 100 GB. Claiming ignorance at this point won’t work. You encrypted your hard disk. They will assume that if you know how to encrypted your hard disk, you will know how to create a hidden encrypted partition.

Encryption within Encryption

Say you do not feel comfortable using a hidden partition but still want to encrypt your data. How do you proceed?

One way is to use regular full-disk encryption. This is similar to having a hidden device but Once decrypted, the authority which has compelled you to disclose the data will find perfectly normal data and files. One of these files will be an encrypted TrueCrypt volume (a separate file, which is encrypted and can be mounted when needed) with an inconspicuous name (think “flx_install.exe”). By far most scanning software will not pick up on the file not actually being what it is trying to look like.

Conclusion

What can we take away from all this?

If you to transport sensitive information across borders, avoid doing it in person if possible. Courier or post physical data; upload and then download digital data.

5 Commentson "Travelling with Sensitive Information"

True Crypt works a lot better to send messages that if intercepted are practically impossible to open — the limitation being a backdoor.

I am curious to know, is there such a thing as triple encryption — meaning sending as a true crypt corrupt file on a VPN – through an already secure server per se or as PGP even for making it quadruple secure. Does it matter? Just thought to ask…

You can encrypt as much as you like, but at some point you’re sacrificing usability for security with diminishing returns. If someone gets through three levels of encryption, is a fourth really going to save you? Is it worth all the hassle? That’s for you to decide.

The most commonly exploited weakness in encryption isn’t levels of cascaded encryption; it’s bad keys (passwords, passphrase). Tenfold cascaded multi-algorithm encryption with ten weak keys is less secure than single layer encryption with a strong key.

Another risk to consider is if one of your cascaded levels of encryption contains a broken algorithm. If that somehow can be exploited, it may reveal all the underlying data (for example, if keys are stored in memory which is stored on the layer encrypted with the bad algorithm).

TrueCrypt also allows single files to be encrypted, with or without a second, hidden partition. Using the theory of hiding in the weeds, a laptop can have a group of vacation photos or the like, with a single file encrypted. For the average user, it will just show up as a corrupt file. For others, first the file would have to be discovered, and with double encryption one can disclose only the first key.

Thanks for your comment! You raise a very good point. I’d only add that a highly advanced and determined adversary will likely be able to tell that IMG23084.JPG isn’t a corrupt JPEG and suspect foul play.